# javax.net.ssl.SSLPeerUnverifiedException：对端未认证

- **ID:** `java/ssl-peer-unverified`
- **领域:** java
- **类别:** auth_error
- **验证级别:** ai_generated
- **修复率:** 85%

## 根因

SSL/TLS 握手已完成，但无法根据信任库验证对端的证书链，意味着服务器身份不受信任。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Java 8 | active | — | — |
| Java 11 | active | — | — |
| Java 17 | active | — | — |
| Java 21 | active | — | — |

## 解决方案

1. ```
   使用 keytool 将服务器证书导入 JVM 的信任库：`keytool -import -alias server -keystore $JAVA_HOME/lib/security/cacerts -file server.crt`
   ```
2. ```
   将信任库设置为包含服务器 CA 证书的自定义文件：`-Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit`
   ```
3. ```
   如果使用客户端库（例如 OkHttp），配置客户端使用信任特定证书的自定义 SSLSocketFactory。
   ```

## 无效尝试

- **Set `-Djavax.net.ssl.trustStore` to a non-existent file to bypass trust validation.** — This causes a different SSL error: 'java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty', not fixing the peer verification. (90% 失败率)
- **Disable SSL verification entirely by setting `HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> true)`.** — This only bypasses hostname verification; the peer certificate chain is still validated against the truststore, so the error persists. (80% 失败率)
- **Use a self-signed certificate but ignore all trust issues by creating a custom TrustManager that trusts all.** — While this works for development, it's a security risk and may violate organizational policies; also, some libraries like Apache HttpClient require explicit configuration. (60% 失败率)